Menu
Browse

Cyber Threat Actor: Lazio Hacker

Actor Type Location Known Incidents
 Icon
Criminal
Italy
1 incident
Profile

Lazio Hacker is the alias usedby a threat actor whose known operational base is located in Italy. The actor came to public attention through a single, well‑documented incident in which an Italian football club was defrauded of approximately two million euros. The fraud involved a deceptive email that appeared to originate from the Dutch club Feyenoord, conveying false banking instructions that redirected the final transfer installment for defender Stefan de Vrij to an unauthorized account in the Netherlands. The recipient club denied receiving the funds and disavowed the communication, while investigators traced the misdirected payment to an unrelated Dutch bank account. This event occurred during contract negotiations for the player, who had initially joined the Italian side for a higher fee but was set to leave without a transfer fee due to unresolved terms. No additional aliases or geographic details beyond the Italian location have been publicly attributed to this actor.

The targeting observed in the Lazio Hacker case focuses on the sports sector, specifically football clubs involved in high‑value player transfers, with the immediate victim situated in Italy and the fraudulent proceeds routed through a Netherlands‑based account. The actor’s strategic objective, as evidenced by the incident, is financial gain achieved through social engineering and invoice manipulation rather than espionage, disruption, or data theft. The tactics, techniques, and procedures demonstrated include the use of spoofed emails to impersonate a trusted entity, the creation of fraudulent payment instructions, and reliance on human interaction to execute the fraud; no malware families, exploit tools, or specific tooling styles were referenced in the reporting. Publicly available sources do not establish any state affiliation, criminal consortium, or broader campaign linkage for Lazio Hacker, and the 2018 email scam remains the sole notable operation attributed to this actor. Consequently, the profile is limited to the confirmed facts of the actor’s alias, location, the single financially motivated incident, and the observed TTPs of email spoofing and fraudulent banking redirection.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources